ClawHub

S2-SWM Swarm Sync Protocol(群体同步与路权博弈引擎)

v1.1.0

Instructs the OpenClaw Agent on how to interact securely with other agents. Enforces Cryptographic Authentication before any right-of-way yielding or sensor...

0· 73·0 current·0 all-time
byMilesXiang@spacesq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description ask for cryptographic authentication and right-of-way arbitration and the skill only requests a single PKI root env var (S2_SWARM_PKI_ROOT); the included code and manifest implement signature checking, overlap detection, federated-tensor acceptance, and arbitration logic that match the stated purpose.
Instruction Scope
SKILL.md instructs the agent to pass peer broadcasts to the execute_swarm_sync tool and to act only on authenticated responses. It does not ask the agent to read unrelated files, exfiltrate data, or perform broad system discovery.
Install Mechanism
No install spec (instruction-only) reduces supply-chain risk. However, a handler.py and openclaw.plugin.json are present (native-code plugin runtime: python3). There are no external download URLs or archive extraction steps.
Credentials
Only one env var (S2_SWARM_PKI_ROOT) is required, which is appropriate for verifying peer signatures. That variable likely holds sensitive cryptographic material and should be protected. The plugin manifest also requests network permissions (p2p_mesh, localhost) which are plausible for a swarm protocol but worth auditing.
Persistence & Privilege
always:false and default autonomous invocation are used (normal). The skill does not request elevated persistent system-wide configuration changes. The network permission in the manifest is expected for P2P swarm use but expands runtime scope—review network policy mappings.
Assessment
This skill appears to do what it claims: authenticate peer broadcasts and decide right-of-way. Before installing or using it on real hardware: 1) Audit handler.py to confirm the real signature verification relies on a proper PKI/crypto library rather than the placeholder string check currently present (the code accepts only the literal "VALID_S2_FLEET_SIG"), 2) Keep S2_SWARM_PKI_ROOT secret and verify its format/contents; don’t populate it with real production PKI before code review, 3) Confirm the platform interpretation of the manifest network permission (p2p_mesh/localhost) — ensure it cannot reach unexpected networks, 4) Test thoroughly in a safe/simulated environment (no live actuators) to confirm arbitration behavior and failure modes, and 5) Prefer obtaining a vetted upstream source/homepage or author verification since the package source is unknown. If you cannot review the code, do not deploy to physical robots or critical systems.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e0ewwt1ekwgzde9sr92a7nh84bd07

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvS2_SWARM_PKI_ROOT

Comments